champoi Posted November 27, 2008 Share Posted November 27, 2008 as the title says, are $_session variables invulnerable to sql injections? i know that $_post and $_get variables can be targets for sql injections, just wondering if its the same with $_session, Link to comment https://forums.phpfreaks.com/topic/134544-are-_session-invulnerable-to-sql-injections/ Share on other sites More sharing options...
Mchl Posted November 27, 2008 Share Posted November 27, 2008 Only you (the programmer) can put something into $_SESSION variable, so it's up to you. Link to comment https://forums.phpfreaks.com/topic/134544-are-_session-invulnerable-to-sql-injections/#findComment-700540 Share on other sites More sharing options...
btherl Posted November 28, 2008 Share Posted November 28, 2008 $_SESSION only stores data for you. If you take data from a user that contains an sql injection, store it in $_SESSION then take it out, then you are still at risk. But if you take data from the user (from $_POST for example), sanitize it, then store it in $_SESSION, then it is now safe data. So $_SESSION basically has no effect on safety of variables, since session data is set by you, not by the user. The thing to check is whether the data you put in $_SESSION originated from $_POST or $_GET (or $_REQUEST or $_COOKIE) Link to comment https://forums.phpfreaks.com/topic/134544-are-_session-invulnerable-to-sql-injections/#findComment-700703 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.